Everyone should employ an intrusion detection system (IDS) to monitor their network and flag any suspicious activity or automatically shut down potentially malicious traffic. We look at five of the best open source options.
As cybersecurity professionals, we try to prevent attackers from gaining access to our networks but protecting perimeters that have grown exponentially with the rise of mobile devices, distributed teams, and the internet of things (IoT) is not easy. The unpalatable truth is that sometimes the attackers are going to get through and the cost of a data breach grows the longer it takes you to uncover the attack.
You’ll find that IDS is typically divided into two groups: There’s signature-based IDS, which scans for known malicious traffic patterns and alerts when it discovers them, and there’s anomaly-based IDS, which looks at baselines rather than signatures to expose deviations from the norm.
It’s crucial to deploy IDS across your network, from internal servers to data centers to public cloud environments if you want to safeguard your data and systems. It’s worth noting that IDS can also reveal misbehavior on the part of your employees, encompassing insider threats and plain old laziness in the form of streaming Netflix all day or chatting on Facebook Messenger.
Luckily, there are many open source intrusion detection tools that are worth checking out and we’ve got five examples for you right here.
As the de-facto standard for IDS, Snort is an extremely valuable tool. This Linux utility is easy to deploy and can be configured to monitor your network traffic for intrusion attempts, log them, and take a specified action when an intrusion attempt is detected. It’s one of the most widely deployed IDS tools and it also acts as an intrusion prevention system (IPS).
Snort stretches way back to 1998 and shows no signs of fading away, with an active and very helpful community that provides great support. There’s no GUI here and it lacks an administrative console, but you can snag another open source tool like Snorby or Base to bridge that gap. The high level of customization that Snort offers makes a great choice for a lot of different organizations.
If you don’t want to use Snort for some reason, then Suricata is a strong alternative.
Powered by an analysis engine that converts traffic into a series of events, Bro can detect suspicious signatures and anomalies. You can use Bro-Script to craft tasks for the policy engine, which makes this a powerful choice for anyone aiming to automate more work. For example, this tool is capable of automatically downloading suspicious files it spots on the network, sending them for analysis, notifying relevant people if anything untoward is uncovered, blacklisting the source and shutting down the device that downloaded it.
The drawback with Bro is that there’s a steep learning curve to extract the most value out of it and it can prove complicated to set up. However, the community is growing and providing more help by the day and Bro is capable of detecting anomalies and patterns that other intrusion detection tools might miss.
As the standard for wireless IDS, Kismet is an essential tool for most businesses. It focusses on wireless protocols, including Wi-Fi and Bluetooth, and tracks down unauthorized access points, which are all too easy for employees to create accidentally. It can detect default networks or configuration gaps and it can hop channels, but it does take a long time to search networks and has a limited range for best results.
Kismet will run on several different platforms, including Android and iOS, but Windows support is limited. There are various APIs for integrating additional tools and it offers multithreaded packet decoding for higher workloads. It recently got an all-new, web-based user interface with extended plug-in support.
Moving on to host-based IDS, or HIDS, we come to OSSEC, which is by far the most full-featured HIDS option. It’s very extensible and runs on most major operating systems, including Windows, Linux, Mac OS, Solaris and more. It has a client/server architecture which sends alerts and logs to a centralized server for analysis. That means alerts will go through even if the host system is knocked offline or fully compromised. This architecture also makes deployment a breeze because it enables central management of multiple agents.
It’s a small installer and has a very light impact on system resources once it’s up and running. It is also very customizable and can be configured to act in real-time automatically. There’s a large community around OSSEC and plenty of resources to dip into.
If the idea of a central server gives you pause, then you might consider Samhain Labs as an alternative that’s also host-based, but offers multiple output methods from the agent.
5. Open DLP
Data Loss Prevention (DLP) is the aim of the game for this tool. It’s capable of scanning your data while it’s at rest in databases or on file systems. Open DLP will search for sensitive data relating to your organization to uncover unauthorized copying and transmission of that data. This can be great for finding malicious insiders or incompetent employees sending out data that they shouldn’t. It works well on Windows, but also supports Linux and can be deployed via agents or as an agentless tool.
The bottom line
As you can see there are lots of excellent, free, open source intrusion detection tools to choose from and this is by no means an exhaustive list, but these five options are a great place to start.